Yet another indication of the emerging trend of building a knowledge-driven cyber jihadist community, are such online archives with localized to Arabic standard security and hacking research papers, ones you definitely came across to before, or may have in fact written by yourself. As I've already discussed this trend in previous posts, it's a PSYOPS strategy in action, one that's aiming to improve the overall perception of cyber jihadists' ability to wage their battles without using software and web services of their enemies. Whether the investment in time and resources is worth it is another topic, what's worth pointing out are the efforts they put into localizing the content in between adding the standard propaganda layer, and later on, building a community around it.
Monday, November 12, 2007
Teaching Cyber Jihadists How to Hack
Yet another indication of the emerging trend of building a knowledge-driven cyber jihadist community, are such online archives with localized to Arabic standard security and hacking research papers, ones you definitely came across to before, or may have in fact written by yourself. As I've already discussed this trend in previous posts, it's a PSYOPS strategy in action, one that's aiming to improve the overall perception of cyber jihadists' ability to wage their battles without using software and web services of their enemies. Whether the investment in time and resources is worth it is another topic, what's worth pointing out are the efforts they put into localizing the content in between adding the standard propaganda layer, and later on, building a community around it.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
p0rn.gov - The Ongoing Blackhat SEO Operation
Want pr0n? Try .gov domains in general, ones that have been getting the attention of blackhat SEO-ers for a while, just like the most recent related cases where the City of Chetek, Winsonsin, the City of Somerset, Texas and Town of Norwood, Massachusetts got their blackhat SEO injection. The previous attack is related to the one I'll assess in this post, the blackhat SEO tool is the same given the static subdomains generated, what remains to be answered is how they've managed to get access to the control panels of the domains in order to add the subdomains? Let's look at the facts :- the targets in this attack are The Virgin Islands Housing Finance Authority (VIHFA), and the City Of Selma, Alabama
- this is the second blackhat SEO operation uncovered during the past couple of months targeting .gov domains
- access to the control panels is somehow obtained so that subdomains pointing to 89.28.13.207 (89-28-13-207.starnet.md) and 89.28.13.195 (89-28-13-195.starnet.md) are added at both domains
- both .gov domains that are targets in this attack are using a shared hosting provider, meaning their IP reputation is in the hands of everyone else's web activities responding under the same IP
- no malware is served in this incident, compared to the previous one, a combination of malware and blackhat SEO
Subdomains at City of Selma currently hosting around 9000 blackhat SEO pages :
m21.selma-al.govm22.selma-al.gov
m23.selma-al.gov
m24.selma-al.gov
m25.selma-al.gov
m26.selma-al.gov
m27.selma-al.gov
m28.selma-al.gov
m29.selma-al.gov
m30.selma-al.gov
m31.selma-al.gov
m32.selma-al.gov
m33.selma-al.gov
m34.selma-al.gov
Subdomains at the Virgin Islands Housing Finance Authority with constantly changing structure :
a1.a.vihfa.gova2.a.vihfa.gov
a3.a.vihfa.gov
a4.a.vihfa.gov
a5.a.vihfa.gov
a6.a.vihfa.gov
a7.a.vihfa.gov
a8.a.vihfa.gov
a9.a.vihfa.gov
a10.a.vihfa.gov
Related subdomains now no longer responding :
2k110.x.vihfa.gov
2k106.x.vihfa.gov
j11.y.vihfa.gov
j9.y.vihfa.gov
z1.z.vihfa.gov
z1.z.vihfa.gov
Where's the connection between this blackhat SEO operation and the previous one? It's not just that both subdomains at the different .gov's are responding to IPs from the same netblock, but also, 89.28.13.202 is responding to City of Somerset's subdomains from the previous incident such as : j6.y.somersettx.gov; st9.x.somersettx.gov; x.somersettx.gov.
Looks like someone in Moldova will get spanked for these incidents.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Targeted Spamming of Bankers Malware
This particular incident is interesting mostly because we have a good example that once a site gets compromised the potential for abusing the access for malware distribution becomes very realistic, this is in fact what happened with autobroker.com.pl, as the following URLs were active as of yesterday, now down due to notification. Basically, the compromised host, compromised in an automatic and efficient way for sure, started acting as the foundation for the campaign, which as it looks like was spammed in a targetted manner. A tiny php file at autobroker.com.pl/l.php was launching the downloader :TROJ.BANLOAD
Result: 18/31 (58.07%)
File size: 46080 bytes
MD5: 690e71077c9d78347368c6cf8752741e
SHA1: 7dedad0778a24c69d6df4c8ceedc94f20292473e
the downloader then drops the following bankers that are strangely hosted on the French site Opus Citatum, and are still active :
opuscitatum.com/modules/PHP%20Files/__steampw12318897_.exe
Trojan-Spy.Win32.Banker.ciy
Result: 9/32 (28.13%)
File size: 2498560 bytes
MD5: cee1fdea650487e0865a1b8831db1e73
SHA1: ad55ff3e5519d88b930d6a0a695e71fcc253351e
opuscitatum.com/modules/PHP%20Files/Ivete_Sangalo.scr
Trojan.PWS.Banker
Result: 13/32 (40.63%)
File size: 2505216 bytes
MD5: 1bdb0d3e13b93c76e50b93db1adeed3e
SHA1: f472693da81202f4322425b952ec02cbff8d72bc
The campaign was originally spammed with the messages : "Chegou 1 vivo foto torpedo" and "Vivo torpedo foi enviado de um celular para seu e" by using the web based spammer you can see in the attached screenshot.
More info about banking malware, comments on a recently advertised metaphisher malware kit with banker trojans infected hosts only showcasing the malicious economies of scale botnet masters mentality, as well as related posts on targeted malware attacks.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)